extension of the ocarina tool suite to support reliable ... · extension of the ocarina tool suite...

Extension of the Ocarina Tool Suite to support Reliable Replication-Based Fault-Tolerance

21st International Conference on Reliable Software Technologies

Ada-Europe’2016

June 13-17 Pisa, Italy

Wafa GABSI Bechir ZALILA Mohamed Jmaiel

[email protected] [email protected] [email protected]

Outline

7/18/20162

1 Context & motivation

2Issues

3Objectives

4Approach

5Case study

6Conclusion & Future work

3 7/18/2016

Context (1/2)

With the evolution of distributed real-time embedded

systems, new requirements for high dependability and fault

tolerance are emerging

These requirements have to be satisfied at design time

Such systems must be highly dependable in order to increase

their performance, effectiveness and reliability

Some work provide design supports of fault tolerance

techniques such as model weaving or passive replication

applied to AADL models

Context Issues Objectives Approach Case study Conclusion & Future work

7/18/2016

SystemModeling

Functional Concerns

Ocarina Code Generator

WeavingFunctionalCode

Fault Tolerant code

Cross-cutting Concerns

Fault Tolerance

Context (2/2)


4

5 7/18/2016

Error Model Annex

Strong support of several concepts related to fault

tolerance

Formal specification of different types of errors, error propagation and

error behaviors

State machineserror behavior:

Error events, error states and propagation

conditions

Safety analysis tools implemented to support

safety and reliability evaluation process

ErrorModel Annex


Outline

7/18/20166

1 Context & motivation

2Issues

3Objectives

4Approach

5Case study


7 7/18/2016

Replication Issues


It does not supportautomatic redundancy indistributed real-timeembedded systems.

It relies on manuallyspecified redundancy ofcomponents, connections

and behaviors.

Most of existingworks consider only onereplication style but notboth.

The more the replicasor replicated componentswe have, the morecomplex and error pronethe model is.

Outline

7/18/20168

1Context & motivation

2Issues

3Objectives

4Existing Work

5Approach


9 7/18/2016

Objectives

Support automatic replication of AADL components2

Assist the designer in modeling the fault tolerant

system by integrating replication techniques from the

design phase

1


Support automatic code generation of both active and

passive replication

3

Outline

7/18/201610


2Issues

3Objectives

4Approach

5Case study


A model driven fault tolerance approach,

relying on automatic replication of AADL

components since the design level and

automatic code generation for both active

and passive replication

7/18/2016

SystemModeling

Functional Concerns Cross-cutting Concerns

Fault Tolerance


Approach (1/2)

11

12 7/18/2016

Approach (2/2)

Assist the designer in modeling his system by automation of

the replication design using properties

Encapsulate the needed replication parameters into a

property set and integrate them in the base model through a

model transformation

Define:

A set of properties to describe replication concepts

A set of transformation rules to generate a replicated model

Implement these rules into the Ocarina tool suite


13 7/18/2016

Replication process

AnnexesPropertiesComponents Connections

Transformationrules using Ocarina

Intermediate model describingthe system architecture enrichedwith variants and deciders


Consensus algorithm

Number of variantsVariants AdjudicatorsReplication

style

Replicationof other

components

Code generation

ModelChecking

SchedulingAnalysis

ModelAnalysis

Replicationextension

14 7/18/2016

Replication property set


Description : aadlString;

Replica_Number : aadlInteger;

Replica_Identifiers : list of aadlString applies to (system, process, thread,

processor, device);

Replica_Type : Replication::ReplicationType;

ReplicationType: type enumeration(Active, Passive);

consensusAlgorithm_Source_Text: aadlString;

consensusAlgorithm _Class: classifier (subprogram classifier) applies to

(system, process, thread, device, subprogram, event data port);

consensusAlgorithm_Ref: reference ( subprogram classifier ) applies to

(system, process, thread, device, subprogram, event data port);

PropertySet Replication_Properties is

end Replication_Properties;

15 7/18/2016

Replicate what ?


Supported AADL Components:

Components hierarchy

Properties and possible features of each component

Modes and mode transitions

AADL components

Software hardware Hybrid

Process Device

SystemThread Memory

Data Processor

Subprogram Bus

X

XX

X

16 7/18/2016

Ocarina Extension (1/4)

We check the validity of the use of our property set items

using Ocarina

Replica number bounded between the minimal and the

maximal number of replicas

Type of the replication: active or passive

Consensus algorithm specified to decide about replicas

Properties have to be coherent and not redundant


VALIDATION OF THE PROPERTIES USE1

17 7/18/2016




EXTRACTION OF THE LIST OF PROPERTIES2

we extract for each replicated component the list of

properties

Collecting all replication properties as a record

Invoking the suitable transformation rules to apply the

expansion of the AADL model

18 7/18/2016





EXPANSION OF THE AADL MODEL3

Based on transformation rules, we expand the AADL base

model with replicas by manipulating its AADL tree

A replication algorithm is applied to extend the model by the

replication mechanisms depending on the type of replicated

component and on the selected replication strategy

19 7/18/2016





EXPANSION OF THE AADL MODEL3

GENERATION OF THE ENRICHED AADL MODEL FROM ITS EXPANDED TREE4

Outline

7/18/201620


2Issues

3Objectives

4Approach

5Case study


21 7/18/2016

Case study: Robot system


22 7/18/2016

Case study: Replication properties


23 7/18/2016

Case study: generated Model


24 7/18/2016

Case study: Results


The generated model is complicated with respect to the

initial one

We help the designer to generate it while reducing the risk

of errors and decreasing the number of lines of code in a

meaningful way (up to 50%)

To validate the consistency of the generated intermediate

model, we used Ocarina again to parse it and to generate Ada

code using the PolyORB-HI middleware, GNATforLEON to

compile it and TSIM to simulate it

Outline

7/18/201625


2Issues

3Objectives

4Approach

5Case study


26 7/18/2016

A new approach based on automation of replication of AADL

components

An approach supporting both active and passive replication

Enabling designers to choose different number of variants

even in a single model

The workload of the designer minimized to only indicating

the original component subject to replication, specifying the

replication style, setting the number of variants and defining

the consensus algorithm for each replicated component

Conclusion


27 7/18/2016

Future work

Accomplish the extension of this tool by passive replication

Extend the POLYORB-HI middleware with fault tolerant

concepts

Enrich Ocarina with various consensus algorithms that are

well used to ensure software fault tolerance including all

agreement, weak validity, strong validity and termination

Formally verify our approach


7/18/2016

For more questions:

[email protected]

extension of the ocarina tool suite to support reliable ... · extension of the ocarina tool suite...

Documents